Google has discovered 11 security flaws in Samsung's flagship Android handset, the Galaxy S6 Edge.
Google's team of elite hackers at Project Zero learned that the Samsung device is the latest target in the group's sights. As well as having probed several antivirus products and even Android itself, they had previously poked around in Windows and found serious bugs.
Most of the issues have already fixed after Google notified Samsung, but some have yet to be addressed. One independent expert stated that bugs have significantly weakened the security of Google's operating system, ZDNet reported.
The most significant of the 11 bugs affecting the Galaxy S6 Edge was spotted by Project Zero researcher Mark Brand, who in late July told Samsung about a directory traversal bug in the device's WifiHs20UtilityService. The service scans for a zip file in /sdcard/Download/cred.zip and unzips it. Project Zero member Natalie Silvanovich also explained that the API used to unzip the file does not verify the file path, so it can be written in unexpected locations.
Among the vulnerabilities was a weakness found in Samsung's email software that could have allowed hackers to forward a victim's messages to their own account, according to BBC. Another bug has allowed attackers to change the settings of Samsung's photo-viewing app by sending the handset a specially encoded image. However, Google said that the most interesting issue was the existence of a "directory traversal bug" in a wi-fi utility built in to the phone.
Another high-severity bug affecting Samsung's email client was easy to exploit, according to Google. A service used to support quick replies lacked authentication, allowing an unprivileged application to potentially gain access to email content.
Details of the remaining bugs can be found on Project Zero's blog and its database of closed flaws. Project Zero gives mobile vendors 90 days to fix bugs it reports. The idea is to push vendors to fix bugs sooner rather than later.
Samsung encourages users to keep their software and apps updated at all times.